Worm Turns Unpatched JBoss Servers into Botnet

A new worm exploiting a JBoss vulnerability that was patched in April 2010 is targeting unsecured servers and adding them to a botnet, security researchers are reporting. The worm affects earlier versions of JBoss (4 and 5) - versions 6 and 7 are unaffected. Johannes Ullrich of the SANS Technology Institute describes how the older configuration of JBoss only authenticated GET and POST requests, but did not protect other HTTP request types or interfaces, so attackers could use other methods to execute arbitrary code without authentication.

propagates by connecting to unprotected JMX consoles, then uses the ability of the JMX console to execute arbitrary code in the context of the JBoss user.

One user, who set up a honeypot on a deliberately unsecured JBoss server, reports that the payload

...contained Perl scripts to automatically connect the compromised host to an IRC Server and be part of a botnet, install and run a remote access tool using DynDNS (Flu.pl), and two Windows batch scripts, one is for exploring JBoss Services (wstools.bat) and a script to discover all UDP-based members running on a certain mcast addressJGroups called "JGroups Cluster Discovery Script for Win32" (probe.bat). Also included is Perl script (Linda.pl) that helps in invoking the JMX console.

The worm has been circulating for a few days at least, and it's not clear right now how many servers have been compromised or what the origins of it are. If nothing else, it does highlight the need for users to keep their systems, both servers and PCs, up-to-date. The update that fixes the flaw can be downloaded here. Instructions for securing the JMX console can be found here.